[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217

To: Jan Beulich <JBeulich@xxxxxxxx>
From: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
Date: Wed, 4 Jul 2012 16:09:01 +0100
Cc: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, Lars Kurth <lars.kurth@xxxxxxx>, Matt Wilson <msw@xxxxxxxxxx>, Stefano Stabellini <Stefano.Stabellini@xxxxxxxxxxxxx>
Delivery-date: Wed, 04 Jul 2012 15:10:50 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Wed, 4 Jul 2012, Jan Beulich wrote:
> >>> On 04.07.12 at 15:30, Stefano Stabellini 
> >>> <stefano.stabellini@xxxxxxxxxxxxx> wrote:
> > Can we just avoid all this and use the security list to communicate that
> > a fix is going to be available on a particular hour of a particular day?
> > This way all the software vendors and service providers can ready
> > themselves to deploy it as soon as they can.
> > The fix would be released to the security list and xen-devel at the same
> > time.
> 
> That would only call for each party trying to create and deliver
> their fix themselves and up front. You'd then also have to hide
> the issue description.

Yes, we would have to hide the issue description.


> Which would render the security list redundant.

It would be a very different kind of security list.


> > In practice, given the terms of the GPL, we cannot restrict anybody on
> > the list from releasing the source of the fix before the embargo ends.
> 
> Of course. It's an agreement between the list members to not
> disclose anything.

Yes, but an agreement that cannot be legally enforced.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217
  - From: John Haxby

References:
- Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217
  - From: Matt Wilson
- Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217
  - From: Stefano Stabellini
- Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217
  - From: George Dunlap
- Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217
  - From: Jan Beulich
- Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217
  - From: George Dunlap
- Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217
  - From: Stefano Stabellini
- Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217
  - From: Jan Beulich

Prev by Date: Re: [Xen-devel] [PATCH 0 of 3] [v2] tools/configure.ac changes
Next by Date: Re: [Xen-devel] [PATCH 0 of 3] [v2] tools/configure.ac changes
Previous by thread: Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217
Next by thread: Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.